@xmldom/xmldom 0.9.0-beta.2 → 0.9.0-beta.3

package/CHANGELOG.md

@@ -4,14 +4,46 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.9.0-beta.2](https://github.com/xmldom/xmldom/compare/0.9.0-beta.1...0.9.0-beta.2)
+## [0.9.0-beta.3](https://github.com/xmldom/xmldom/compare/0.9.0-beta.2...0.9.0-beta.3)
+
+### Fixed
+
+- fix: Stop adding tags after incomplete closing tag [`#445`](https://github.com/xmldom/xmldom/pull/445) / [`#416`](https://github.com/xmldom/xmldom/pull/416)
+  BREAKING CHANGE: It no longer reports an error when parsing HTML containing incomplete closing tags, to align the behavior with the one in the browser.
+  BREAKING CHANGE: If your code relied on not well-formed XML to be parsed and include subsequent tags, this will no longer work.
+- fix: Avoid bidirectional characters in source code [`#440`](https://github.com/xmldom/xmldom/pull/440)
+
+### Other
+
+- ci: Add CodeQL scan [`#444`](https://github.com/xmldom/xmldom/pull/444)
+
+Thank you, [@ACN-kck](https://github.com/ACN-kck), [@mgerlach](https://github.com/mgerlach) for your contributions
+
+
+## [0.7.6](https://github.com/xmldom/xmldom/compare/0.7.5...0.7.6)
+
+### Fixed
+- Avoid iterating over prototype properties [`#441`](https://github.com/xmldom/xmldom/pull/441) / [`#437`](https://github.com/xmldom/xmldom/pull/437) / [`#436`](https://github.com/xmldom/xmldom/issues/436)
 
+Thank you, [@jftanner](https://github.com/jftanner), [@Supraja9726](https://github.com/Supraja9726) for your contributions
+
+
+## [0.8.3](https://github.com/xmldom/xmldom/compare/0.8.3...0.8.2)
+
+### Fixed
+- Avoid iterating over prototype properties [`#437`](https://github.com/xmldom/xmldom/pull/437) / [`#436`](https://github.com/xmldom/xmldom/issues/436)
+
+Thank you, [@Supraja9726](https://github.com/Supraja9726) for your contributions
+
+
+## [0.9.0-beta.2](https://github.com/xmldom/xmldom/compare/0.9.0-beta.1...0.9.0-beta.2)
 
 ### Fixed
 - Avoid iterating over prototype properties [`#437`](https://github.com/xmldom/xmldom/pull/437) / [`#436`](https://github.com/xmldom/xmldom/issues/436)
 
 Thank you, [@Supraja9726](https://github.com/Supraja9726) for your contributions
 
+
 ## [0.9.0-beta.1](https://github.com/xmldom/xmldom/compare/0.8.2...0.9.0-beta.1)
 
 ### Fixed
@@ -55,6 +87,7 @@ Thank you [@weiwu-zhang](https://github.com/weiwu-zhang) for your contributions
 
 - update multiple devDependencies
 
+
 ## [0.8.2](https://github.com/xmldom/xmldom/compare/0.8.1...0.8.2)
 
 ### Fixed

package/SECURITY.md

@@ -6,20 +6,20 @@ The most up-to-date version of this document can be found at <https://github.com
 
 This repository contains the code for the libraries `xmldom` and `@xmldom/xmldom` on npm.
 
-As long as we didn't publish v1, we aim to maintain the last two minor versions with security fixes. If it is possible we provide security fixes as path versions.
-If you think there is a good reason to also patch an earlier version let us know in a github issue or the release discussion once the fix has been provided. 
-The maintainers will consider it and if we agree and have/find the required resources, a patch for that version will be provided.
+As long as we didn't publish v1, we aim to maintain the last two minor versions with security fixes. If it is possible we provide security fixes as patch versions.
+If you think there is a good reason to also patch an earlier version, let us know in a GitHub issue or the release discussion once the fix has been provided. 
+The maintainers will consider it, and if we agree and have/find the required resources, a patch for that version will be provided.
 
 Please notice that [we are no longer able to publish the (unscoped) `xmldom` package](https://github.com/xmldom/xmldom/issues/271), 
 and that all existing versions of `xmldom` are affected by at least one security vulnerability and should be considered deprecated.
 You can still report issues regarding `xmldom` as described below.
 
-If you need help with migrating from `xmldom` to `@xmldom/xmldom`, file a github issue or PR in the affected repository and mention @karfau.
+If you need help with migrating from `xmldom` to `@xmldom/xmldom`, file a GitHub issue or PR in the affected repository and mention @karfau.
 
 ## Reporting vulnerabilities
 
 Please email reports about any security related issues you find to `security@xmldom.org`, which will forward it to the list of maintainers. 
-The maintainers will try to respond within 7 calendar days. (If nobody peplies after 7 days, please us send a reminder!)
+The maintainers will try to respond within 7 calendar days. (If nobody replies after 7 days, please us send a reminder!)
 As part of you communication please make sure to always hit "Reply all", so all maintainers are kept in the loop.
 
 In addition, please include the following information along with your report:
@@ -29,15 +29,15 @@ In addition, please include the following information along with your report:
 - An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. This will help us evaluate your report quickly, especially if the issue is complex.
 - Whether this vulnerability public or known to third parties. If it is, please provide details.
 
-If you believe that an existing (public) issue is security-related, please send an email to `security@xmldom.org`. 
+If you believe that an existing (public) issue is security-related, please email `security@xmldom.org`. 
 The email should include the issue URL and a short description of why it should be handled according to this security policy.
 
 Once an issue is reported, the maintainers use the following disclosure process:
 
 - When a report is received, we confirm the issue, determine its severity and the affected versions.
 - If we know of specific third-party services or software based on xmldom that require mitigation before publication, those projects will be notified.
-- A [github security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) is [created](https://docs.github.com/en/code-security/security-advisories/creating-a-security-advisory) (but not published) which details the problem and steps for mitigation.
-- If the reporter provides a github account and agrees to it, we (add that github account as a collaborator on the advisuory)[https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory].
+- A [GitHub security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) is [created](https://docs.github.com/en/code-security/security-advisories/creating-a-security-advisory) (but not published) which details the problem and steps for mitigation.
+- If the reporter provides a GitHub account and agrees to it, we [add that GitHub account as a collaborator on the advisory](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory).
 - The vulnerability is fixed in a [private fork](https://docs.github.com/en/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability) and potential workarounds are identified.
 - The maintainers audit the existing code to find any potential similar problems.
 - The release for the current minor version and the [security advisory are published](https://docs.github.com/en/code-security/security-advisories/publishing-a-security-advisory).

package/lib/entities.js

@@ -30,242 +30,242 @@ exports.HTML_ENTITIES = freeze({
        amp: '&',
        quot: '"',
        apos: "'",
-       Agrave: "À",
-       Aacute: "Á",
-       Acirc: "Â",
-       Atilde: "Ã",
-       Auml: "Ä",
-       Aring: "Å",
-       AElig: "Æ",
-       Ccedil: "Ç",
-       Egrave: "È",
-       Eacute: "É",
-       Ecirc: "Ê",
-       Euml: "Ë",
-       Igrave: "Ì",
-       Iacute: "Í",
-       Icirc: "Î",
-       Iuml: "Ï",
-       ETH: "Ð",
-       Ntilde: "Ñ",
-       Ograve: "Ò",
-       Oacute: "Ó",
-       Ocirc: "Ô",
-       Otilde: "Õ",
-       Ouml: "Ö",
-       Oslash: "Ø",
-       Ugrave: "Ù",
-       Uacute: "Ú",
-       Ucirc: "Û",
-       Uuml: "Ü",
-       Yacute: "Ý",
-       THORN: "Þ",
-       szlig: "ß",
-       agrave: "à",
-       aacute: "á",
-       acirc: "â",
-       atilde: "ã",
-       auml: "ä",
-       aring: "å",
-       aelig: "æ",
-       ccedil: "ç",
-       egrave: "è",
-       eacute: "é",
-       ecirc: "ê",
-       euml: "ë",
-       igrave: "ì",
-       iacute: "í",
-       icirc: "î",
-       iuml: "ï",
-       eth: "ð",
-       ntilde: "ñ",
-       ograve: "ò",
-       oacute: "ó",
-       ocirc: "ô",
-       otilde: "õ",
-       ouml: "ö",
-       oslash: "ø",
-       ugrave: "ù",
-       uacute: "ú",
-       ucirc: "û",
-       uuml: "ü",
-       yacute: "ý",
-       thorn: "þ",
-       yuml: "ÿ",
+       Agrave: "\u00C0",
+       Aacute: "\u00C1",
+       Acirc: "\u00C2",
+       Atilde: "\u00C3",
+       Auml: "\u00C4",
+       Aring: "\u00C5",
+       AElig: "\u00C6",
+       Ccedil: "\u00C7",
+       Egrave: "\u00C8",
+       Eacute: "\u00C9",
+       Ecirc: "\u00CA",
+       Euml: "\u00CB",
+       Igrave: "\u00CC",
+       Iacute: "\u00CD",
+       Icirc: "\u00CE",
+       Iuml: "\u00CF",
+       ETH: "\u00D0",
+       Ntilde: "\u00D1",
+       Ograve: "\u00D2",
+       Oacute: "\u00D3",
+       Ocirc: "\u00D4",
+       Otilde: "\u00D5",
+       Ouml: "\u00D6",
+       Oslash: "\u00D8",
+       Ugrave: "\u00D9",
+       Uacute: "\u00DA",
+       Ucirc: "\u00DB",
+       Uuml: "\u00DC",
+       Yacute: "\u00DD",
+       THORN: "\u00DE",
+       szlig: "\u00DF",
+       agrave: "\u00E0",
+       aacute: "\u00E1",
+       acirc: "\u00E2",
+       atilde: "\u00E3",
+       auml: "\u00E4",
+       aring: "\u00E5",
+       aelig: "\u00E6",
+       ccedil: "\u00E7",
+       egrave: "\u00E8",
+       eacute: "\u00E9",
+       ecirc: "\u00EA",
+       euml: "\u00EB",
+       igrave: "\u00EC",
+       iacute: "\u00ED",
+       icirc: "\u00EE",
+       iuml: "\u00EF",
+       eth: "\u00F0",
+       ntilde: "\u00F1",
+       ograve: "\u00F2",
+       oacute: "\u00F3",
+       ocirc: "\u00F4",
+       otilde: "\u00F5",
+       ouml: "\u00F6",
+       oslash: "\u00F8",
+       ugrave: "\u00F9",
+       uacute: "\u00FA",
+       ucirc: "\u00FB",
+       uuml: "\u00FC",
+       yacute: "\u00FD",
+       thorn: "\u00FE",
+       yuml: "\u00FF",
        nbsp: "\u00a0",
-       iexcl: "¡",
-       cent: "¢",
-       pound: "£",
-       curren: "¤",
-       yen: "¥",
-       brvbar: "¦",
-       sect: "§",
-       uml: "¨",
-       copy: "©",
-       ordf: "ª",
-       laquo: "«",
-       not: "¬",
-       shy: "­­",
-       reg: "®",
-       macr: "¯",
-       deg: "°",
-       plusmn: "±",
-       sup2: "²",
-       sup3: "³",
-       acute: "´",
-       micro: "µ",
-       para: "¶",
-       middot: "·",
-       cedil: "¸",
-       sup1: "¹",
-       ordm: "º",
-       raquo: "»",
-       frac14: "¼",
-       frac12: "½",
-       frac34: "¾",
-       iquest: "¿",
-       times: "×",
-       divide: "÷",
-       forall: "∀",
-       part: "∂",
-       exist: "∃",
-       empty: "∅",
-       nabla: "∇",
-       isin: "∈",
-       notin: "∉",
-       ni: "∋",
-       prod: "∏",
-       sum: "∑",
-       minus: "−",
-       lowast: "∗",
-       radic: "√",
-       prop: "∝",
-       infin: "∞",
-       ang: "∠",
-       and: "∧",
-       or: "∨",
-       cap: "∩",
-       cup: "∪",
-       'int': "∫",
-       there4: "∴",
-       sim: "∼",
-       cong: "≅",
-       asymp: "≈",
-       ne: "≠",
-       equiv: "≡",
-       le: "≤",
-       ge: "≥",
-       sub: "⊂",
-       sup: "⊃",
-       nsub: "⊄",
-       sube: "⊆",
-       supe: "⊇",
-       oplus: "⊕",
-       otimes: "⊗",
-       perp: "⊥",
-       sdot: "⋅",
-       Alpha: "Α",
-       Beta: "Β",
-       Gamma: "Γ",
-       Delta: "Δ",
-       Epsilon: "Ε",
-       Zeta: "Ζ",
-       Eta: "Η",
-       Theta: "Θ",
-       Iota: "Ι",
-       Kappa: "Κ",
-       Lambda: "Λ",
-       Mu: "Μ",
-       Nu: "Ν",
-       Xi: "Ξ",
-       Omicron: "Ο",
-       Pi: "Π",
-       Rho: "Ρ",
-       Sigma: "Σ",
-       Tau: "Τ",
-       Upsilon: "Υ",
-       Phi: "Φ",
-       Chi: "Χ",
-       Psi: "Ψ",
-       Omega: "Ω",
-       alpha: "α",
-       beta: "β",
-       gamma: "γ",
-       delta: "δ",
-       epsilon: "ε",
-       zeta: "ζ",
-       eta: "η",
-       theta: "θ",
-       iota: "ι",
-       kappa: "κ",
-       lambda: "λ",
-       mu: "μ",
-       nu: "ν",
-       xi: "ξ",
-       omicron: "ο",
-       pi: "π",
-       rho: "ρ",
-       sigmaf: "ς",
-       sigma: "σ",
-       tau: "τ",
-       upsilon: "υ",
-       phi: "φ",
-       chi: "χ",
-       psi: "ψ",
-       omega: "ω",
-       thetasym: "ϑ",
-       upsih: "ϒ",
-       piv: "ϖ",
-       OElig: "Œ",
-       oelig: "œ",
-       Scaron: "Š",
-       scaron: "š",
-       Yuml: "Ÿ",
-       fnof: "ƒ",
-       circ: "ˆ",
-       tilde: "˜",
-       ensp: " ",
-       emsp: " ",
-       thinsp: " ",
-       zwnj: "‌",
-       zwj: "‍",
-       lrm: "‎",
-       rlm: "‏",
-       ndash: "–",
-       mdash: "—",
-       lsquo: "‘",
-       rsquo: "’",
-       sbquo: "‚",
-       ldquo: "“",
-       rdquo: "”",
-       bdquo: "„",
-       dagger: "†",
-       Dagger: "‡",
-       bull: "•",
-       hellip: "…",
-       permil: "‰",
-       prime: "′",
-       Prime: "″",
-       lsaquo: "‹",
-       rsaquo: "›",
-       oline: "‾",
-       euro: "€",
-       trade: "™",
-       larr: "←",
-       uarr: "↑",
-       rarr: "→",
-       darr: "↓",
-       harr: "↔",
-       crarr: "↵",
-       lceil: "⌈",
-       rceil: "⌉",
-       lfloor: "⌊",
-       rfloor: "⌋",
-       loz: "◊",
-       spades: "♠",
-       clubs: "♣",
-       hearts: "♥",
-       diams: "♦"
+       iexcl: "\u00A1",
+       cent: "\u00A2",
+       pound: "\u00A3",
+       curren: "\u00A4",
+       yen: "\u00A5",
+       brvbar: "\u00A6",
+       sect: "\u00A7",
+       uml: "\u00A8",
+       copy: "\u00A9",
+       ordf: "\u00AA",
+       laquo: "\u00AB",
+       not: "\u00AC",
+       shy: "\u00AD",
+       reg: "\u00AE",
+       macr: "\u00AF",
+       deg: "\u00B0",
+       plusmn: "\u00B1",
+       sup2: "\u00B2",
+       sup3: "\u00B3",
+       acute: "\u00B4",
+       micro: "\u00B5",
+       para: "\u00B6",
+       middot: "\u00B7",
+       cedil: "\u00B8",
+       sup1: "\u00B9",
+       ordm: "\u00BA",
+       raquo: "\u00BB",
+       frac14: "\u00BC",
+       frac12: "\u00BD",
+       frac34: "\u00BE",
+       iquest: "\u00BF",
+       times: "\u00D7",
+       divide: "\u00F7",
+       forall: "\u2200",
+       part: "\u2202",
+       exist: "\u2203",
+       empty: "\u2205",
+       nabla: "\u2207",
+       isin: "\u2208",
+       notin: "\u2209",
+       ni: "\u220B",
+       prod: "\u220F",
+       sum: "\u2211",
+       minus: "\u2212",
+       lowast: "\u2217",
+       radic: "\u221A",
+       prop: "\u221D",
+       infin: "\u221E",
+       ang: "\u2220",
+       and: "\u2227",
+       or: "\u2228",
+       cap: "\u2229",
+       cup: "\u222A",
+       'int': "\u222B",
+       there4: "\u2234",
+       sim: "\u223C",
+       cong: "\u2245",
+       asymp: "\u2248",
+       ne: "\u2260",
+       equiv: "\u2261",
+       le: "\u2264",
+       ge: "\u2265",
+       sub: "\u2282",
+       sup: "\u2283",
+       nsub: "\u2284",
+       sube: "\u2286",
+       supe: "\u2287",
+       oplus: "\u2295",
+       otimes: "\u2297",
+       perp: "\u22A5",
+       sdot: "\u22C5",
+       Alpha: "\u0391",
+       Beta: "\u0392",
+       Gamma: "\u0393",
+       Delta: "\u0394",
+       Epsilon: "\u0395",
+       Zeta: "\u0396",
+       Eta: "\u0397",
+       Theta: "\u0398",
+       Iota: "\u0399",
+       Kappa: "\u039A",
+       Lambda: "\u039B",
+       Mu: "\u039C",
+       Nu: "\u039D",
+       Xi: "\u039E",
+       Omicron: "\u039F",
+       Pi: "\u03A0",
+       Rho: "\u03A1",
+       Sigma: "\u03A3",
+       Tau: "\u03A4",
+       Upsilon: "\u03A5",
+       Phi: "\u03A6",
+       Chi: "\u03A7",
+       Psi: "\u03A8",
+       Omega: "\u03A9",
+       alpha: "\u03B1",
+       beta: "\u03B2",
+       gamma: "\u03B3",
+       delta: "\u03B4",
+       epsilon: "\u03B5",
+       zeta: "\u03B6",
+       eta: "\u03B7",
+       theta: "\u03B8",
+       iota: "\u03B9",
+       kappa: "\u03BA",
+       lambda: "\u03BB",
+       mu: "\u03BC",
+       nu: "\u03BD",
+       xi: "\u03BE",
+       omicron: "\u03BF",
+       pi: "\u03C0",
+       rho: "\u03C1",
+       sigmaf: "\u03C2",
+       sigma: "\u03C3",
+       tau: "\u03C4",
+       upsilon: "\u03C5",
+       phi: "\u03C6",
+       chi: "\u03C7",
+       psi: "\u03C8",
+       omega: "\u03C9",
+       thetasym: "\u03D1",
+       upsih: "\u03D2",
+       piv: "\u03D6",
+       OElig: "\u0152",
+       oelig: "\u0153",
+       Scaron: "\u0160",
+       scaron: "\u0161",
+       Yuml: "\u0178",
+       fnof: "\u0192",
+       circ: "\u02C6",
+       tilde: "\u02DC",
+       ensp: "\u2002",
+       emsp: "\u2003",
+       thinsp: "\u2009",
+       zwnj: "\u200C",
+       zwj: "\u200D",
+       lrm: "\u200E",
+       rlm: "\u200F",
+       ndash: "\u2013",
+       mdash: "\u2014",
+       lsquo: "\u2018",
+       rsquo: "\u2019",
+       sbquo: "\u201A",
+       ldquo: "\u201C",
+       rdquo: "\u201D",
+       bdquo: "\u201E",
+       dagger: "\u2020",
+       Dagger: "\u2021",
+       bull: "\u2022",
+       hellip: "\u2026",
+       permil: "\u2030",
+       prime: "\u2032",
+       Prime: "\u2033",
+       lsaquo: "\u2039",
+       rsaquo: "\u203A",
+       oline: "\u203E",
+       euro: "\u20AC",
+       trade: "\u2122",
+       larr: "\u2190",
+       uarr: "\u2191",
+       rarr: "\u2192",
+       darr: "\u2193",
+       harr: "\u2194",
+       crarr: "\u21B5",
+       lceil: "\u2308",
+       rceil: "\u2309",
+       lfloor: "\u230A",
+       rfloor: "\u230B",
+       loz: "\u25CA",
+       spades: "\u2660",
+       clubs: "\u2663",
+       hearts: "\u2665",
+       diams: "\u2666"
 });
 
 /**

package/lib/sax.js

@@ -122,19 +122,18 @@ function parse(source,defaultNSMapCopy,entityMap,domBuilder,errorHandler){
 				appendText(tagStart);
 			}
 			switch(source.charAt(tagStart+1)){
-			case '/':
-				var end = source.indexOf('>',tagStart+3);
-				var tagName = source.substring(tagStart + 2, end).replace(/[ \t\n\r]+$/g, '');
+				case '/':
 				var config = parseStack.pop();
-				if(end<0){
-
-	        		tagName = source.substring(tagStart+2).replace(/[\s<].*/,'');
-	        		errorHandler.error("end tag name: "+tagName+' is not complete:'+config.tagName);
-	        		end = tagStart+1+tagName.length;
-	        	}else if(tagName.match(/\s</)){
-	        		tagName = tagName.replace(/[\s<].*/,'');
-	        		errorHandler.error("end tag name: "+tagName+' maybe not complete');
-	        		end = tagStart+1+tagName.length;
+				var end = source.indexOf(">", tagStart + 3);
+				var tagNameRaw = source.substring(tagStart + 2, end > 0 ? end : undefined);
+				var tagNameMatch = new RegExp("(" + tagNamePattern.source.slice(0, -1) + ")").exec(tagNameRaw);
+				// for the root level the config does not contain the tagName
+				var tagName = tagNameMatch && tagNameMatch[1] ? tagNameMatch[1] : (config.tagName || domBuilder.doc.documentElement.tagName);
+				if (end < 0) {
+					errorHandler.error("end tag name: " + tagName + " is not complete");
+					end = tagStart + 1 + tagName.length;
+				} else if (tagNameRaw.match(/</) && !isHTML) {
+					errorHandler.error("end tag name: " + tagName + " maybe not complete");
 				}
 				var localNSMap = config.localNSMap;
 				var endMatch = config.tagName == tagName;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xmldom/xmldom",
-  "version": "0.9.0-beta.2",
+  "version": "0.9.0-beta.3",
   "description": "A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.",
   "keywords": [
     "w3c",
@@ -46,6 +46,7 @@
     "auto-changelog": "2.4.0",
     "eslint": "8.25.0",
     "eslint-config-prettier": "8.5.0",
+    "eslint-plugin-anti-trojan-source": "1.1.0",
     "eslint-plugin-es5": "1.5.0",
     "eslint-plugin-prettier": "4.2.1",
     "get-stream": "6.0.1",